Re: Considering the pressure to turn HTTPS into a three-party protocol

> On 16 Feb 2015, at 4:59 pm, Ryan Sleevi <sleevi@google.com> wrote:
> 
> The overall topic is that you've presented as "An Issue" for the TAG a
> question of how users use and administer their machines, and whether
> the TAG should intervene. I'm (hopefully clearly) rather opposed to
> this.

That's a concise statement of the problem, thanks. Note, however, that I'm NOT suggesting that the TAG intervene, on two fronts:

a) I'm suggesting that the TAG *talk* about it as an architectural issue -- where the actual "intervention" happens is TBD

b) I'm not suggesting that we constrain or otherwise specify *how* users use and administer their machines -- I'm wondering if browsers need to expose different / more information about the machines they're running on, and/or whether users need more education about it.

> If this is the criteria for the TAG getting involved, why not focus on
> the fact that UAs now tend to expose Developer Tools, and these
> Developer Tools may be used for nefarious purposes. [1]

Indeed. My older son is now known as a "hacker" at his high school, due to his elite devtools skills...

> Should the TAG
> provide guidance on how developers should be allowed to modify the
> DOM? Or guidance for Site Authors on how to prevent modifications to
> the DOM? Should the W3C provide security UI guidance for users who
> open their Developer Tools, discouraging them from the evil that may
> await?
> 
> You may see it as presenting strawmen,

Indeed.

> but I'm trying to show how your
> stated criteria provides a very shaky foundation, one which quickly
> encroaches on things I hope we all know to be Terribly Bad Ideas for
> the W3C to be involved in, and hopefully to demonstrate that this is
> equally one of those Terribly Bad Ideas.


Perhaps it's your perception of the criteria which is on a shaky foundation...

Cheers,


--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 16 February 2015 06:14:33 UTC